ECC-based three-factor authentication and key agreement scheme for wireless sensor networks

In wireless sensor networks (WSNs), protocols with authentication and key agreement functions can enhance the security of the interaction between users and sensor nodes, guaranteeing the security of user access and sensor node information. Existing schemes have various security vulnerabilities and are susceptible to security attacks (e.g., masquerading user, password guessing, internal privilege, and MITT attacks), so they cannot meet the anonymity requirements or achieve forward security. To effectively improve the security performance of WSNs, an elliptic curve cryptography (ECC)-based three-factor authentication and key agreement scheme for WSNs is proposed. The scheme is based on the ECC protocol and combines biometrics, smart card and password authentication technology; uses a challenge/response mechanism to complete the authentication between users, gateways, and sensors; and negotiates a secure session key. The Burrows, Abadi and Needham logic for formal security analysis proves the correctness and security of the scheme, and the informal analysis of multiple known attacks proves that the scheme can resist various attacks and has high security characteristics. The feasibility of the scheme has been analysed and verified with the ProVerif tool. The efficiency analysis results show that the scheme is suitable for resource-constrained WSNs.

show that the scheme is suitable for resource-constrained WSNs.This is a substantial advantage for sensor nodes that have limited computational and storage resources and is expected to have a positive impact in the real world.
To effectively enhance the security performance of WSNs, this study proposes a three-factor authentication and key agreement scheme based on elliptic curve cryptography (ECC).The scheme is based on the ECC protocol, combines biometric, smart card and cryptographic authentication techniques, uses a challenge/response mechanism to complete the authentication between the user, the gateway and the sensor, and negotiates a secure session key.The correctness and security of the scheme are validated through formal security analysis using BAN logic.In addition, the scheme is verified as highly secure against various attacks through informal analysis of a variety of known attacks.To ensure the feasibility of the research, the paper also provides an exhaustive analysis and validation of the scheme using the ProVerif tool.The final efficiency analysis results show that the scheme is suitable for resource-constrained WSNs and provides a feasible and efficient solution for secure communication in WSNs.The purpose of this study is to promote the development of security in the field of WSNs and to provide a more reliable protection mechanism for wireless sensor networks in practical applications.

Related works
In 2015, Lee et al. 2 proposed a nontamper smart card authentication key protocol scheme based on anonymous passwords.In 2017, Wu et al. 3 noted that the scheme of Lee et al. 2 is not resistant to smart card loss, spoofed users, spoofed server attacks, and so forth.Wu et al. proposed an enhanced anonymous password authentication key agreement scheme.In 2016, Jiang et al. 4 proposed a two-factor authentication scheme based on ellipse curve cryptography (ECC) for untraceable time vouchers in WSNs.In 2018, Li et al. 5 found flaws in the work of Jiang et al. 4 , such as the lack of a password detection and change mechanism and a clock synchronization problem.Thus, Li et al. proposed a three-factor anonymous authentication scheme for WSNs in the IoT environment, using a fuzzy commitment scheme and error correction code to process user biometric information; however, the scheme proved to be unable to resist smart card loss attacks and achieve forward security.In 2022, Meriam et al. 6 performed an informal security analysis of the protocol of Li et al. 5 , and the results showed that it cannot achieve anonymity and cannot resist session key leakage, internal, and other attacks.Thus, Meriam et al. proposed a three-factor mutual authentication and key agreement protocol for IoT WSNs based on lightweight ECC, using physically unclonable functions (PUFs) and ECC to improve security and effectively solve the security problem of Li et al. 's proposal 5 .
In 2017, Wu et al. 7 proposed a user authentication scheme for WSNs based on the Internet of Things(IoT) and, in the same year, an efficient authentication and key agreement scheme for multigateway WSNs in the deployment of the IoT 8 .In 2019, Bayat et al. 9 noted that the scheme of Wu et al. 7 could not withstand certain security attacks.Thus, Bayat et al. proposed an analysis and improvement of the user authentication scheme of the IoT based on ECC.In 2019, Guo et al. 10 found that the scheme of Wu et al. 8 was inefficient and instead proposed a secure and efficient three-factor multigateway authentication protocol for WSNs; however, this scheme proved to be unable to resist offline password guessing and other attacks.In 2017, Jung et al. 11 proposed an efficient and secure anonymous authentication scheme based on key agreement in WSNs.In the same year, Sravani et al. 12 proposed an authentication key establishment scheme based on a secure signature for future IoT applications.However, the scheme was not resistant to man-in-the-middle attacks and was too complex and inefficient 13 .
In 2021, Azrour et al. 14 proposed a new, enhanced IoT authentication protocol based on the literature 2,5 , and 9 , that could resist replay, internal, and other attacks.In 2021, Vinoth et al. 15 proposed a multifactor authentication key protocol scheme for industrial IoT security; however, this scheme could not deal with certain types of attacks, such as sensor node capture and replay attacks.In 2021, Xue et al. 16 proposed a lightweight three-factor authentication and key agreement scheme for multigateway WSNs in the IoT based on a ummary of the literature 10,14 , and 15 and proved the correctness and security of the proposed scheme through the BAN logic and BPR model.However, the scheme could not guarantee the security of the user's private key or negotiate a secure session key.

Motivation
The motivation of this paper is to improve the security of wireless sensor networks (WSNs), especially to enhance the authentication and key agreement features in the interaction between users and sensor nodes.Currently existing schemes suffer from various security vulnerabilities and are susceptible to security attacks such as masquerading users, password guessing, internal privileges, and man-in-the-middle attacks.These vulnerabilities make it difficult for existing schemes to meet anonymity requirements and achieve forward security.In this article, they propose an integrated authentication and key agreement scheme based on the ECC protocol is proposed, combining multiple authentication techniques to improve the security performance of WSNs, and demonstrate its feasibility and high level of security through formal and informal security analysis.

Their contribution
1) This paper proposes a three-factor authentication and key agreement scheme based on ECC for WSNs 17 .
The new scheme is based on the ECC key agreement mechanism and introduces the challenge/response mechanism to establish authentication and key agreement mechanisms among users and gateways and sensors of WSNs.The security of the scheme is guaranteed by the security characteristics of biometrics, the elliptic curve discrete logarithm problem, and the one-way characteristics of the hash function.
2) After the authentication and key agreement between the user and the sensor is completed, a password update and smart card logout scheme is proposed to assist users in better managing smart cards and enhance the security of the scheme.3) The proposed scheme is validated in several forms.The scheme's security is assessed through a formal analysis employing BAN logic.In addition, the nonformal security analysis proves the security performance of the scheme and its resistance to various attacks.Furthermore, simulations using the ProVerif tool validate the feasibility of the proposed scheme.Finally, the performance analysis shows that the scheme improves security without increasing energy consumption.
The road-map of the paper is as follows In Section "Mathematical preliminaries", they reviewed some of the basics of math and information security and defined the notations and descriptions and threat model used by the scheme.In Section "Safety analysis of existing schemes", the advantages and some security vulnerabilities in the work of Xue et al. 16 are discussed.Sections "The proposed scheme" and "Security analysis" present the proposed scheme and the corresponding security analysis, respectively.In Section "Efficiency analysis", the performance of the proposed scheme is evaluated, and finally, the whole paper is concluded in Section "Conclusions".

Mathematical preliminaries Cryptanalysis
Cryptanalysis, a subset of cryptography, is the process of deciphering or breaking cryptographic systems.It utilizes techniques such as mathematics, computer science, and engineering to unveil encrypted data.The primary objective of cryptanalysis is to achieve unauthorized access to encrypted information by scrutinizing weaknesses in encryption algorithms, key management, and security mechanisms.This involves activities such as password guessing, analysing the mathematical aspects of encryption algorithms, identifying vulnerabilities in encryption keys, and exploiting errors in implementation.The efficacy of cryptanalysis hinges on the intricacy and robustness of the cryptosystem.This field plays a pivotal role in information security, contributing to the evaluation and enhancement of cryptographic system strength.

ECC and ECDH 18
Elliptic Curve Cryptography (ECC) is a public key encryption algorithm that is widely used in the field of cryptography.The security of ECC is based on the discrete logarithmic problem on elliptic curves, which is considered to be difficult to solve; thus, encryption algorithms based on this mathematical puzzle provide a high level of security.Compared to traditional RSA algorithms based on the integer factorization problem, ECC can use shorter key lengths while providing the same level of security, thus reducing the computational and storage requirements.Overall, elliptic curve cryptography is an important part of the modern field of cryptography and provides a powerful tool for secure communication.
The elliptic Curve Diffie-Hellman key exchange (ECDH) is mainly used to establish secure shared encryption data in an insecure channel, generally exchanging private keys, which are generally used as "symmetric encryption" keys by both parties for subsequent data transmission.ECDH is based on the premise that given a point P on an elliptic curve and an integer k, it is easy to solve for Q = KP, but it is difficult to solve for K via Q, P.

BAN logic
BAN logic is a formal method for analysing and verifying cryptographic schemes, proposed by Burrows, Abadi, and Needham (BAN) in 1989 19 .The basic idea of BAN logic is to convert messages in a cryptographic scheme into a logical language representation and then use inference rules to derive the beliefs and goals of the participants in the scheme.BAN logic can be used to find vulnerabilities in a scheme to improve its security and efficiency.
Table 1 shows the notations used by BAN logic 20  field of practical applications.A large number of fast and effective security programs have been proposed, and at the same time, they also produced the "concrete security or exact security", which means that they no longer only satisfy the asymptotic degree of security but can exactly obtain a more accurate security measure.Practicaloriented provable security theory has been widely accepted by academia and industry.Inside cryptography, a random oracle is a prediction machine (simply put, like a black box for the theory) that returns a truly uniformly random output for any input, and for the same input, this prediction machine outputs the same output in the same way every time (i.e., if the query is repeated, it responds in the same way every time the query is submitted).In other words, a randomized prediction machine is a function that randomly maps all possible inputs to outputs.
The stochastic prediction machine model is usually an idealized stand-in for the real hash function and has its origins in the idea of viewing hash functions as pseudorandom.The stochastic prediction machine model has the following properties: 1) Consistency: Inputs that are the same should produce matching outputs.2) Computability: the output can be calculated within a polynomial time frame.
3) Uniform Distributability: The prediction machine's output is evenly spread across the value space without any overlaps.4) In the stochastic prediction machine model, it is assumed that the adversary will not exploit the weakness of the hash function to attack the cryptographic scheme.

Notations and descriptions
Table 2 shows the notations used in this paper and descriptions of these notations.

Threat model 18
In this article, the following threat models are used: 1) Communication conducted over a public channel is susceptible to eavesdropping, providing attackers with an advantage.2) Threats to any system can come from external entities or even legitimate users who may act as attackers.
3) Attackers have the capability to manipulate, erase, redirect, and replay intercepted messages, compromising the integrity of the communication.4) The attacker is assumed to possess knowledge of the protocol used in the authentication system.

Safety analysis of existing schemes 16
Scheme 16 proposed an authentication and key agreement scheme for multigateway environments.In the scheme, biometrics, a crucial element, is extracted and authenticated using a fuzzy extractor.The program consists of the following six processes: 1) System initialization.The SA assigns identity ID hg , ID fg and private keys x hg , x fg to HGWN and FGWN and establishes a shared key K hf .The HGWN and FGWN independently choose three random numbers, denoted as R h , R f and R fh , respectively.
mod n 0 to SC, HGWN saves SID j , and S j saves x j .3) Login.U i inputs ID i , PW i , and BIO i , SC verifies the identity of U i by calculating B 2 = h(HPW i ‖α i ‖ID i ‖r i )mod n 0 , if the verification passes, U i sends M 1 = {TID i , ID hg , SID j , D 0 , D 1 , D 2 , D 3 , T 1 } over the public channel to HGWN.4) Authentication and key agreement.After receiving the communication request between U i and SID j , HGWN initially verifies if the designated sensor S j is within its communication range.If HGWN can retrieve SID j from its local database, it can proceed following Case 1, and the three parties, U i , HGWN, and SID j , perform authentication and key agreement; otherwise, it operates according to Case 2, and the four parties, U i , HGWN, FGWN, and SID j , perform authentication and key agreement.5) Password update.User enters his or her ID i , PW i , and BIO i , and SC verifies.If the verification passes, the user enters new password , and e i ′ and saves.6) Smart card logout.The user enters his or her ID i , PW i , and BIO i and SC verifies it.If the verification passes, U i sends M 0 = {TID i , β i , R 0 , T 1 } over the public channel to HGWN.HGWN verifies that K i ' is equal to K i by computation.if the verification passes it deletes U i 's information {ID i , K i , honey_list}.
The existing scheme 16 has some advantages in resisting password guessing, replay, and other attacks to achieve two-way authentication and key agreement; however, there are also security vulnerabilities, such as the inability to guarantee anonymity and the potential to suffer from MITT attacks.In this section, the advantages of the scheme and the existence of security vulnerabilities are presented 21 .
Advantages of the scheme 16 The advantages of the schemes 16 include the following: 1) The use of biometric-based fuzzy extraction technology effectively enhances the security of user login via the three-factor authentication mechanism.2) Security of the authentication process is ensured through use of the challenge/response mechanism 22 .
3) The user's secret x i and the sensor's secret x j are calculated using the hash function, and they are not transmitted in the public channel, which can prevent the secret from being cracked and ensure its forward security.4) The honey list technique, which can prevent password guessing attacks by setting the number of logins and avoid smart card loss attacks and offline guessing attacks, is adopted.5) Replay attacks are avoided by setting the timestamp T. 6) Two-way authentication and key agreement are achieved as the negotiated session key SK contains a random number of users, gateways, and sensors to improve the security of the negotiated key 23 .
Security vulnerabilities of the scheme 16 The scheme' 16 security vulnerabilities include the following: 1) Unable to meet the anonymity requirement: During the registration process, U i sends ID i to HGWN, Sj sends SID j to HGWN, and HGWN sends ID hg to U i .Attackers intercept ID i , ID hg , and SID j in the public channel to easily obtain the identity ID s of the user, gateway, and node.Therefore, the scheme cannot guarantee anonymity.2) Unable to secure user parameters 24 : During the registration process, U i sends {ID i , HPW i , β i } to the HGWN.
The attacker intercepts ID i in the public channel.During the login process, U i sends M 1 = {TID i , ID hg , SID j , D 0 , D 1 , D 2 , D 3 , T 1 } to the HGWN.The attacker intercepts D 2 in the public channel and calculates: The attacker intercepts D 0 and calculates: The attacker obtains all the parameters of the user login.3) Unable to secure user secrets x i and sensor secrets x j : During the registration process, U i sends {ID i , HPW i , β i } to HGWN and HGWN sends {TID i , β i , e i , ID hg } to U i .The attacker intercepts HPW i , ID i , β i , and e i in the public channel and calculates: The user secret x i is cracked.Attackers directly obtain sensor secret x j in the public channel.
(1)  4) and ( 5) above, the attacker cracks r u , r hg and intercepts SID j , ID hg , x j , T 2 in the public channel; D 6 can be cracked by calculating: The sensor authentication gateway algorithm is cracked.7) Unable to negotiate a secure session key: The negotiated key is SK s = h(r u ‖r hg ‖r s ‖ID hg ).During the login process, According to Points (4) and ( 5) above, the attacker breaks r u , r hg , r s and intercepts ID hg in the public channel, which can crack: The scheme cannot negotiate a secure session key, and it has forward security problems.8) Unable to resist MITT attacks: The attacker records all M 1 = {TID i , ID hg , SID j , D 0 , D 1 , D 2 , D 3 , T 1 } sent to the GWN, all M 2 = {D 4 , D 5 , D 6 , T 2 } sent to S j , and all x j sent to S j by the gateway, and then calculates: For each group M 1 , the attacker calculates: If equal, the attacker can determine user U i with its corresponding S j and obtain the values of the parameters r u , x i , and so on.The attacker starts a new session with user U i , selects r hg , r s , and TID i ′ , and calculates: Vol.:(0123456789) If equal, according to the rule, the user accepts this SK as the agreement key and the attacker successfully implements the MITT attack.

The proposed scheme
In this section, an ECC-based three-factor authentication and key agreement scheme for WSNs is proposed, the improvement measures of the scheme are introduced, and then a specific implementation scheme, including system initialization, node registration, user registration, two-way authentication and key agreement, password update, and smart card logout, is proposed 17 .The proposed scheme operates under the following security assumptions: 1) The gateway is securely impenetrable and has unlimited computation, storage, and communication capabilities.
2) The WSN network is a bidirectional channel, and nodes can communicate normally.
3) The WSN network employs asymmetric encryption, meaning it utilizes both public and private keys.4) Upon successful completion of the key agreement in the WSN network, the user and the sensor node can establish communication using the session key.

Scheme improvement measures
1) The authentication scheme is designed using an ECC key agreement protocol to ensure the forward security of the scheme.
2) The user ID is replaced by the user identifier TID after the hashing operation, all IDs are forbidden to be sent explicitly, and no direct XOR calculation can be performed to ensure the anonymity of the scheme.3) Random numbers r u and r s are forbidden to be sent in clear text, and no direct XOR calculation can be performed to ensure secure two-way authentication and key agreement and resist MITT attacks 26 .4) More complex parameters are selected to improve the security of the session key.5) The relevant parameters in the SC card are updated after two-way authentication and key agreement to ensure that the scheme is resistant to internal attacks 27 .

Specific implementation plan 1) System Initialization
At the very beginning, the system needs to be initialized.GWN selects E(F p ), P, h(.) and the secret value K G , publicly release E(F p ), P, h(.), save K G .

2) Node Registration
After the system is initialized, the node can start registering.Node S j applies for registration to the GWN, which selects the unique SID j of the node, calculates x j = h(SID j ‖K G ), and writes {SID j , x j } to node S j .

3) User Registration
After the system is initialized, the user can start registering.The user registration process is shown in Fig. 1.
• Step R1: User U i inputs ID i , PW i , BIO i , chooses random number r i ∈ Z p * , calculates R i = r i •P, Gen(BIO i ) = (α i , β i ), TID i = h(ID i ‖α i ‖r i ), HPW i = h(PW i ‖α i ), and U i sends {TID i , HPW i , R i } to GWN.
• Step R2: The gateway GWN chooses a random number r g ∈ Z p * and calculates R g = r g •P.After the GWN receives the U i message, it calculates sets the number of logins List = 0, saves {TID i , HPW i , List = 0}.Write {R g , e i } to smart card SC i and issue to U i .
• Step R3: User U i receives the smart card SC i , calculates * is equal to D 3 and continues if it is, List plus one; otherwise, it is terminated.GWN calculates , and the GWN sends {R u , R g , D 4 , D 5 , D 6 , D 7 , T 2 } to S j .• Step A3: The sensor S j receives the message and selects T 3 , verifies whether |T 3 − T 2 | is less than or equal to △T and continues it is; otherwise, it is terminated.S j selects a random number  Vol   △T and continues it is; otherwise, it is terminated.) is calculated, whether D 10 * is equal to D 10 is verified, and it continues if it is; otherwise, it is terminated.This completes the two-way authentication and negotiates the session key SK for user U i and sensor S j .Finally, ′ , e i ′ replacing B 1 , B 2 , e i within the smart card SC i .

5) Password Update.
Users can also perform a password update at any time after completing the authentication and key agreement.The password update process is shown in Fig. 4.
new , e i new , and the password update is completed.

6) Smart Card Logout
Smart Card Logout can be performed when the user's Smart Card is no longer in use.The smart card logout process is shown in Fig. 5.
, verifies whether x i * is equal to x i and continues if it is; otherwise, it is terminated.Finally, the messages associated with U i {TID i , HPW i , List} are deleted, and smart card revocation is completed.

Security analysis
This section provides a formal security analysis of the scheme using BAN logic.The informal security analysis is performed through Propositions 1 to 11 for a variety of known attacks.The security analysis proves the correctness of the scheme; it can resist various security attacks and has high security characteristics 28 .

Formal analysis based on BAN logic
Next, BAN logic is used to demonstrate the security of the scheme.) means that A's advantage in a successful attack does not increase.Hence, G 2 : A is allowed to make Send ( * I , m ) and H queries to persuade the legitimate communicator with forged messages.The simulation concludes only if A manages to discover collisions and successfully constructs convincing messages.The probabilities of their occurrence, based on the birthday paradox 29 , are ( q 2 h /2 l+1 ) and ((q s + q e ) 2 /2(p-1)).Hence, G 3 : This game is distinct from the earlier games because if A successfully guesses the correct authentication Factors D 3 , D 7 , D 9 , and D 14 .The simulation concludes if H queries are not utilized.It is identical to the previous games in all aspects, except for situations where correct authentication is refused.Hence, G 4 : In this game, A can acquire more information through the Corrupt ( i U , a ) query.A successfully guesses α i with a length of l α , with a probability of (q s /2 l α ).Additionally, A successfully guesses the victim's password with a probability of C ′q s′ s .The likelihood of A guessing the correct x i is (q s /2 l ).Hence, Based on Eqs.(31) to (36), they can infer either Conclusion (30) or Conclusion (37):

1) Goals
Formal security verification via ProVerif 30 This section presents the formal security verification of the proposed scheme by using the Pi calculus-based simulation tool ProVerif.To date, ProVerif has been used to verify many protocols and demonstrate their correctness (37)   and robust properties, so ProVerif is used in this study to rectify the secrecy and authentication properties of the focal protocol.The channels, variables, constants, operations and events are defined as shown in Fig. 6: According to the proposed scheme execution, they define the process of U i as shown in Fig. 7: The process of GWN is modeled as shown in Fig. 8: The process of S j is modeled as shown in Fig. 9: The queries are defined and the whole scheme is simulated as executing in parallel as shown in Fig. 10: The outputs of the ProVerif verification is shown in Fig. 11: Results (1) and ( 2) indicate the secrecy of the proposed scheme because of the failing query attack on session keys SK S and SK U .Moreover, Results (3) and (4) confirm the successful mutual authentication between U i and S j .In other words, the proposed scheme not only provides the secrecy of the session key, but also achieves the authentication property by verifying the correspondence assertions in the Dolev-Yao model.

Informal analysis
This scheme can resist many common attacks and effectively address the shortcomings of existing schemes.The proof of this is as follows: Proposition 1 The scheme has anonymity.Proof All identity ID in the scheme are not transmitted in clear text in the public channel, and the identity identifiers TID i = h(ID i ‖α i ‖r i ) and TID i ′ = h(ID i ‖α i ‖r u ) are used to replace the ID for transmission 17 .Assuming that the attacker intercepts TID i , according to the one-way property of the hash function, the attacker cannot resolve ID i 31 .In addition, even if the attacker intercepts both TID i and TID i ′ , it is impossible to determine whether the two parameters come from the same ID; hence, the scheme has anonymity.

Proposition 2 The scheme is resistant to registered legitimate user attacks.
Proof Suppose attacker U a registers legitimate user ID a and calculates TID a = h(ID a ‖α a ‖r a ).U a registers with gateway GWN, which calculates x a = h(TID a ‖K G ), K a = h(TID a ‖HPW a ).The TID a generated by the attacker based on ID a is different from the TID s of other legitimate users, and the x and K generated by registering to GWN through TID a are also different.Therefore, the scheme can resist registered legitimate user attacks by generating new identity information TID s , and the attacker cannot obtain messages to any other legitimate user by registering a legitimate user.

Proposition 3
The scheme is resistant to smart card loss attacks and offline guessing attacks 17 .
Proof Suppose that a user's smart card is lost or stolen, and the attacker obtains the card and the information it contains, B 1 = h(ID i ‖α i ‖PW i ) ⊕ r i , B 2 = h(HPW i ‖ID i ‖α i ‖r i )mod n 0 , by differential energy attack, because B 1 and B 2 are hash functions with one-way security.However, the attacker is unable to extract the password PW i of user U i from it.Second, if the attacker wishes to obtain the user's password PW i through offline password guessing, he or she needs to have the biometric trait α i and the private key r i , however, the attacker is not in possession of α i and r i , and therefore, the attacker is unable to carry out an offline password guessing attack 32 .Again, B 2 = h(HPW i ‖ID i ‖α i ‖r i )mod n 0 , when n 0 is taken large enough, the number of password guesses grows exponentially and it is not feasible to obtain the password by offline guessing.Finally, the gateway records the number of user authentication List, and it is impossible for an attacker to complete an offline guessing attack within a limited number of guesses.Therefore, the scheme resists smart card loss attacks and offline guessing attacks by means of hash functions, biometrics, modulo arithmetic, and recording the number of authentication times, which are infeasible regardless of whether the attacker tries to extract the password from the smart card or crack the password through offline guessing.

Proposition 4 The scheme is resistant to spoofed user attacks.
Proof To disguise a user login gateway, the attacker needs to send {R u , D 2 , D 3 , TID i , T 1 } to the gateway, where R u = r u •P, ; the attacker needs to master the user's private key r u , identifier TID i , password PW i , biometric α i , secret x i , key parameters K i , and so on, so it is clear that the attacker cannot master the above parameters at the same time and cannot make a spoofed user attack.Therefore, the scheme can resist spoofed user attacks by setting various parameters.

Proposition 5 The scheme is resistant to internal attacks.
Proof There is a possibility that insiders leak user information at the gateway.In the user registration stage, the user's registered password PW i is protected by HPW i = h(PW i ‖α i ), and the insider may obtain HPW i .Based on the unidirectional nature of the hash function, the insider is unable to compute PW i by HPW i = h(PW i ‖α i ) 33 .In addition, HPW i also contains the user's biometric α i , and the insider cannot obtain α i to guess the correct PW i by offline guessing.Therefore, the scheme can resist internal attacks by setting HPW i .

Proposition 6
The scheme is resistant to tampering attacks.
Proof Suppose the attacker tampers with the message sent by the user to the gateway, and the gateway receives the message and needs to verify whether ) is equal to D 3 .To crack D 3 , the attacker needs to have both the user's private key r u , identifier ID i , password PW i , secret x i , and key parameter K i 34 , etc.The above parameters are not propagated in plaintext over the public channel, and the attacker cannot verify them through the gateway.Therefore, the scheme makes it impossible for an attacker to authenticate D 3 by setting multiple parameters.The scheme is resistant to tampering attacks.

Proposition 7
The scheme is resistant to replay attacks.
Proof A replay attack occurs when an attacker sends a packet that has been received by the target for the purpose of spoofing the system.All the messages sent in the two-way authentication process contain the timestamp T, and all parties need to verify whether the time difference is less than △T after receiving the message.If the attacker carries out replay attacks, the replayed message can be recognized by verifying the timestamp.The scheme resists replay attacks by adding timestamps.Proof According to the challenge/response mechanism, both the user and the gateway or the sensor and the gateway need to verify each other's identity.According to Propositions 4 and 6, which have already been proven, the attacker cannot disguise the user or tamper with the message, so the attacker cannot launch a MITT attack disguised as an intermediary.The same can be proven for the communication between sensors and gateways.In addition, timestamps and random numbers are fresh and cannot be forged by an MITT attack 35 .Therefore, an attacker cannot disguise him-or herself as an MITT to launch an attack.The scheme makes it impossible for the attacker to accomplish MITT attacks by authenticating the user, gateway, and sensor.

Proposition 9
The scheme is resistant to Denning-Sacco attacks 36 .
Proof Suppose the attacker steals the agreement key SK = h(SID j ‖r g ‖R su ‖C u ‖C s ‖TID i ′ ).SK is the hash function's hash value 37 , and according to its one-way property, the attacker cannot obtain the parameters in SK.In addition, the parameters in SK such as user private key r u , gateway private key r g , sensor private key r s , C u , and C s are not transmitted in the public channel, and the attacker cannot complete the Denning-Sacco attack.Therefore, the scheme resists Denning-Sacco attacks by performing hash transformations on the session key SK and by making SK have more complex parameters.

Proposition 10
The scheme has forward security.
Proof Assuming that the attacker intercepts the public keys R u and R s of the user and the sensor, the calculation of SK also requires r u , r g , r s , C u , and C s .None of these parameters are transmitted in the public channel, and they cannot be obtained by the attacker.An attacker trying to calculate r s and r u by R s = r s *P and R u = r s *P, or r s *R u and R s *r u by R s *R u cannot do so because the above computations involve ECCDLP mathematical puzzles.Therefore, the scheme is forward-safe.

Proposition 11
The scheme enables both two-way authentication and key agreement.

Proof The scheme through D
) achieves two-way authentication of the user and the gateway and through D 7 = h(TID i ′ ‖SID j ‖C u ‖r g ‖x j ‖T 2 ) and D 9 = h(SID j ‖r g ‖D 8 ‖x j ‖C s ‖T 3 ) achieves two-way authentication of the gateway and the sensor, while the session key SK s = h(SID j ‖r g ‖R su ‖C u ‖C s ‖TID i ′ ) = h(SID j ‖r g ‖R us ‖C u ‖C s ‖TID i ′ ) = SK u is negotiated during the authentication process.
Table 3 shows the security comparison of each scheme.It can be seen that this scheme has better security.

Efficiency analysis
The sensor nodes of WSNs have the characteristics of limited resources and low computation.In this section, they analyze the performance of scheme in analysed from two aspects-computation overhead and communication overhead-and the scheme is proven to be suitable for resource-constrained WSNs through comparisons with other schemes 38  From the computational time consumption in Table 4, it can be seen that the T FE and T ecm time consumption is high, and the T FE of each scheme is similar, so the focus is on the point multiplication operation T ecm .This scheme uses the ECC-based key agreement scheme, and the point multiplication operation overhead is higher than that of other schemes, but it has higher security compared to other schemes that only use hash computation or symmetric encryption and decryption schemes.WSNs focus on the computational overhead of resource-constrained sensor nodes.The computational overhead of the sensor nodes is increased only once compared to schemes 6,39 , and 40 , which also have point multiplication operations.This scheme does not put too much pressure on sensor computation.Although the other schemes have less computational overhead, the present scheme is more effective in dealing with various security threats and is more suitable for high security systems.

Communication overhead
The communication overhead is mainly for the data lengths of identity, hash value, fuzzy extractor public data, random numbers, timestamp, points of elliptic curve (public key), and symmetric encryption/decryption data.To facilitate the comparison, each data length in this scheme is set uniformly.The specific values are shown in Table 6, the comparison of communication overheads of each scheme is shown in Table 7, and the specific communication overhead quantization diagrams are shown in Figs. 12 and 13 41 .www.nature.com/scientificreports/This scheme is based on ECC, and as the communication process needs to send each party's public key several times, the communication overhead is slightly higher than with other schemes.For the communication overhead of resource-constrained sensor nodes, this scheme is the same as scheme 39 and slightly higher than schemes 6,16 and 40 , but still within the tolerance range of sensor nodes and suitable for WSNs.

Conclusions
This paper examines multifactor authentication for WSNs.First, related schemes from recent years are introduced, and based on this, the scheme of Xue et al. 16 is examined, with a focus on its advantages and security vulnerabilities.Then, a three-factor authentication and key agreement scheme based on ECC is proposed for WSNs.The security of the scheme is demonstrated by the BAN logical and informal analysis, and efficiency analysis shows that the scheme is used for resource-constrained WSNs.Overall, the proposed scheme effectively improves the security performance of WSNs based on efficiency and has good application value.Due to the use of ECC dot-multiplication operations, the computational energy consumption of the scheme is still higher compared to the scheme with only hash operations; therefore, in the next step of this research, the efficiency of the scheme needs to be further improved to guarantee security.

Figure 2 .
Figure 2. The authentication and key agreement phase 1.
calculated, and S j sends {R s , D 9 , D 10 , T 3 } to the GWN.• Step A4: The gateway GWN receives the message and selects T 4 , verifies whether |T 4 − T 3 | is less than or equal to △T and continues if it is; otherwise, it is terminated.The GWN calculates C s * = h(R s ‖x j ), D 8 * = r g •R s , D 9 * = h(SID j ‖r g ‖D 8 * ‖x j ‖C s * ‖T 3 ), verifies whether D 9 * is equal to D 9 and continues if it is; otherwise, it is terminated.

Figure 3 .
Figure 3.The authentication and key agreement phase 2.

Figure 7 .
Figure 7.The process of U i .

Figure 9 .
Figure 9.The process of S j .

Figure 10 .
Figure 10.Define the queries and simulate the scheme.

Figure 13 .
Figure 13.Comparison of node communication overhead.

Table 1 .
Notations used by BAN logic and descriptions of these notations.

Table 2 .
Notations used in this paper and descriptions of these notations.
u The private key r i and r u of the user U iID iThe identity ID i of the user U i r gThe private key r g of the gateway node GWN ID hg The identity ID hg of the gateway node GWN r s The private key r s of the sensor node S j SID j The identity SID j of the sensor node S j R i and R u The public key R i and R u of the user U i PW i The password PW i of the user U i R g The public key R g of the gateway node GWN i The auxiliary bit string generated by fuzzy extraction β i of the user U i ‖ concatenation operator h(•) hash function T Timestamp ⊕ XOR operator ΔT Maximum permitted transmission delay mod Modular exponentiation Vol.:(0123456789) Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-zwww.nature.com/scientificreports/2) Registration.This stage comprises sensor registration and user registration.Both sensor nodes and users are needed to register their fundamental details with the nearest HGWN gateway.After the registration, Unable to secure user private key r u : During the login process, U i sends M 1 {TID i , ID hg , SID j , D 0 , D 1 , D 2 , D 3 , T 1 } to HGWN, and the attacker intercepts D 1 in the public channel and can crack x i by point (3) above and calculates:The user private key r u is cracked.5) Unable to secure gateway private key r hg and sensor private key r s : During the registration process, HGWN sends {x j } to S j .The attacker intercepts x j in the public channel.During the authentication process, the HGWN sends M 2 = {D 0 , D 4 , D 5 , D 6 , T 2 } to S j and S j sends M 3 = {D 7 , D 8 , T 3 } to the HGWN.The attacker intercepts D 4 , D 7 , T 2 , T 4 in the public channel and can crack 25 : , r u , K i , During the registration process, U i sends {ID i , HPW i , β i } to the HGWN, and during the login process, U i sends M 1 = {TID i , ID hg , SID j , D 0 , D 1 , D 2 , D 3 , T 1 } to the HGWN.The attacker intercepts TID i , ID i , SID j , T 1 in the public channel, and by calculating D 3 = h(TID i ‖ID i ‖SID j ‖r u ‖x i ‖K i ‖T 1 ) can crack D 3 , so the gateway authentication user algorithm is cracked.During registration, HGWN sends {x j } to S j , during login, U i sends M 1 = {TID i , ID hg , SID j , D 0 , D 1 , D 2 , D 3 , T 1 } to HGWN, and during authentication, HGWN sends M 2 = {D 0 , D 4 , D 5 , D 6 , T 2 } to S j .According to Points ( e i Vol:.(1234567890)Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-zwww.nature.com/scientificreports/4) The attacker sends M 4 = {D 9 , D 10 , D 11 , D 12 , D 13 , T 4 } to U i .U i calculates: Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-zwww.nature.com/scientificreports/ is calculated, and U i sends {TID i , L o , T 1 } to the GWN.•Step S2: The gateway GWN receives the message and selects T 2 , verifies whether |T 2 − T 1| is less than or equal to △T and continues if it is; otherwise, it is terminated.The GWN calculates K The scheme is resistant to MITT attacks.

Table 4 .
The notations, descriptions, and time consuming required for computational time.

Table 6 .
The notations, descriptions, and lengths required for communication data.